1. Field of the Invention
The present invention relates to a relay device that performs LAN path control, a path control method, and a path control program. The present invention relates more particularly to a relay device or the like that implements security improvements including the collection of logs.
2. Description of the Related Art
In recent years, damage to the information resources in enterprises caused by viruses and worms and so forth in networks is a problem. Cases where switches and routers and so forth with security functions are installed as one countermeasure have increased.
Such security switches continually monitor traffic passing through them and have a function for preventing extended damage by discarding frames of the traffic upon sensing an anomalous traffic pattern such as a Dos (Denial of Service) attack, worm infection activity.
An ordinary floor LAN is mostly connected to a plurality of terminals by means of a low-function switching hub or repeater hub or the like. Such a floor LAN is normally installed at the boundary point between the floor LAN and the backbone LAN so that the network device configuration is not affected in connecting a security switch.
FIG. 24A shows a conventional constitutional example of a case where a security switch is provided in a floor LAN.
A security switch 200 is provided between a backbone LAN and a floor LAN, and layer-2 switches (L2SW) 210 and 220 are disposed in subordination to the security switch 200. A client terminal A230 and client terminal B240 are each connected to the respective layer-2 switches 210 and 220. In this case, the terminals A230 and B240 are arranged within the same floor LAN.
In a network configuration connected in this way, when communication is made between terminals A230 and B240, an address acquisition operation is first performed by using an address resolution protocol known as ARP (Address Resolution Protocol).
As shown in FIG. 24A, (1) terminal A230 transmits, by means of a broadcast, an ARP request frame that includes the IP address of the terminal B240 and (2) terminal B240 transmits an ARP reply frame that includes its own MAC (Media Access Control) address to the ARP request frame to terminal A.
As a result of this operation, the terminal A230 acquires the MAC address of terminal B240. Thereafter, terminal A230 is able to transmit a communication frame to the MAC address of terminal B240 (See FIG. 24B). Thereupon, the layer-2 switches 210 and 220 search for learning tables held by themselves by using the MAC address as the search key and transmit frames to the destination physical port (physical port to which terminal B240 is connected). Terminal B240 then performs processing to receive frames because the received frames have its own MAC address.
Furthermore, as an example of such conventional technology, a switching hub comprises a table that stores a dummy MAC address that corresponds to a residential port, for example, and, if the destination MAC address of a frame received from the residential port is a dummy MAC address, the switching hub replaces the destination MAC address of the frame with the MAC address of a node that is connected to another residential port corresponding with the dummy MAC address in order to relay a frame (Japanese Patent Application No. 2003-318934, for example).
However, as shown in FIGS. 24A and 24B, in the communications between terminals in the same floor LAN, the transfer of frames is performed only by the layer-2 switches 210 and 220. Hence, because frames are not transferred to the security switch 200, the security monitoring by the security switch 200 cannot be performed.
In this case, when a terminal that has been infected by a worm is connected, for example, worm-infected frames are spread in the floor LAN and a state where all the terminals in the same floor LAN receive worm-infection damage occurs.
Further, in Japanese Patent Application No. 2003-318934, although no problems are produced because the transferred frames pass through the switching hub 101 between nodes connected to different physical ports, when communication is made only between a plurality of nodes 113 and 114 of the same port, the frames no longer pass through the switching hub 101 and there is then the problem that security monitoring cannot be performed in the same way.
On the other hand, avoidance of the above problem may also be considered by providing the layer-2 switches 210 and 220 in FIG. 24A with a security function. However, when the layer-2 switches 210 and 220 are provided with such a security function, an increase in costs and production requirements is induced all the more. Therefore, an increase in security is desirable without changing the existing network configuration as far as is possible.
Although the above examples were mentioned with respect to security, when communication is performed only between terminals 230 and 240 for exactly the same reasons, the security switch 200 is unable to collect a communication log.